Responsible Disclosure: XSS in Codeberg Pages


An XSS pop up alert on a webpage.

Codeberg is a hip new code hosting site - similar to GitHub and GitLab. And, much like Gits Hub & Lab, users can serve static content through Codeberg pages. Somehow I screwed up my configuration, and when I visited edent.codeberg.page/abc123 I got this error: Now, whenever I see something from the request echoed into the […]

Continue reading →

Responsible Disclosure: XSS in Macmillan's Website


Screenshot of the Macmillan website. The search box has some HTML in it - the page now looks like it says "Please enter your credit card details" with a big submit button.

Another day, another unfiltered reflection of user-supplied content! You know how this goes by now. You type into a search box <em>test and the whole page suddenly turns italic. Luckily, the Macmillan Publishers' website filtered out any <script> elements it encountered. But that still leaves the attacker with the ability to draw SVGs over the […]

Continue reading →

(Nearly) An XSS in Star Wars .com


An XSS pop-up on a Star Wars website.

You remember that bit in Star Wars where the Rebels find the flaw in the Death Star plans and then completely fail to exploit it? Yeah, that's why they don't make movies about inept hackers like me… Anyway, the website https://play.starwars.com/html5/starwars_crawlcreator/ allows users to create their own "Star Wars" style crawl. It's a fun little […]

Continue reading →

Certified in The Art of Hacking - Day 5


Logo for QA's certified in the art of hacking course.

This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Verdicts Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one […]

Continue reading →

Full Disclosure: XSS in Getty Images


Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users - […]

Continue reading →

Responsible Disclosure: [REDACTED] XSS


A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain […]

Continue reading →

Responsible Disclosure: Content Injection flaw in Gett's Website


A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention […]

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk


The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can […]

Continue reading →

Security issues on ArtChain


A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the […]

Continue reading →

Minimum Viable XSS


Update! I now have an XSS which is only 18 characters! Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So […]

Continue reading →